Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:93191 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 70288 invoked from network); 11 May 2016 04:38:03 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 11 May 2016 04:38:03 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.192.46 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.192.46 mail-qg0-f46.google.com Received: from [209.85.192.46] ([209.85.192.46:34673] helo=mail-qg0-f46.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id E8/31-64493-927B2375 for ; Wed, 11 May 2016 00:38:02 -0400 Received: by mail-qg0-f46.google.com with SMTP id 90so18199804qgz.1 for ; Tue, 10 May 2016 21:38:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-transfer-encoding; bh=IXBG9qV1omLRJQhJEOaX8fP1P/7BFXCwaD4yZOH6V50=; b=L0cmvMKs3UeD6lwi53SjAO0dpUCuPgAliC7/bOnmZYBFMHnEHjV+Sb31Phed4p3Tvb YDMClGMuP9flJmqatnEhg1fyRPRHYmQHJx4Efo+lubJFJx+anuzqbcRawz/D13WnOLSM bc2atQv9V3JP20cmlV6k9RMfDUiB9dMLN0UzcCgroxz0GB2HJ5yLx6rTzAeN+ZJIDLPi xUGF7Ah9jUhpQKDoMr3yLXPmlunBMqoGtGPM1Uil40xeyfxemEscvO//ZsZhLm0f2Ub5 hMQ0joFtO3Rjw33DhRosDAM98RP8kUaXQO23oaoeijurxC0NXFeGkoknNozZiyJv5Yb0 98Jg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc:content-transfer-encoding; bh=IXBG9qV1omLRJQhJEOaX8fP1P/7BFXCwaD4yZOH6V50=; b=Q9ZYxVNgmcDN6Hyh4GXZveMrYSYzT1wPAa6R7cG7XTpZ4m+YjNIg23RDfU8f31TPcE OVucQDPrNcaXh69pCvJNM8VdzaMeqHmZqsbg7/jGtKuAaxJJ+7YaQ6hNcmnisaoTtXQF ze3XHyhXMnRDaKM7Nc0lsX/XDbGkIEb9Z5l0qpFefRilj4l+QV7J30xxnDGl327rPa1c WzRUVjtGewKW4JbhDpkxMU7wsxN2oYUwgEcU5ropeCVcLGxVtdpfQxmKV2OYHNGWOfTB T/5x9S2WhFB8oHIVd/ITbyx/Qq0lldcTfGk8eFnvFsq7RPBfKoFL8nANtTE8asVZd6cH jbPQ== X-Gm-Message-State: AOPr4FVuDRKDMYDug/ebXKbxq4BEBRKVhwKNaT3+ph9INkczuvt3z+pjNBWhnwxTSirsm0tVA5eHSB8LigWiBw== X-Received: by 10.141.3.66 with SMTP id f63mr1257568qhd.55.1462941479384; Tue, 10 May 2016 21:37:59 -0700 (PDT) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.140.27.133 with HTTP; Tue, 10 May 2016 21:37:19 -0700 (PDT) In-Reply-To: References: <3b115b37-d399-0b69-24b4-de5c95c4a069@gmail.com> Date: Wed, 11 May 2016 13:37:19 +0900 X-Google-Sender-Auth: nIobVq2BsN4g9VftcaG7QWHSQ-4 Message-ID: To: =?UTF-8?B?S2lubiBKdWxpw6Nv?= Cc: "internals@lists.php.net" , Stanislav Malyshev Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] [RFC DRAFT] Automatic CSRF Protection From: yohgaki@ohgaki.net (Yasuo Ohgaki) Hi Kinn, On Wed, May 11, 2016 at 11:56 AM, Kinn Juli=C3=A3o wrote= : > The point with your example is: > The cross site can request the "get_csrf_token.php", store on its session > (even curl can save the session id cookie or whatever), get the token and > request the endpoint with the retrieved token and session id. > > Got it? Wrong assumption. How would you set attacker's session ID to victim? BTW, session hijack/adoption is not scope of this RFC, but precise session management RFC. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net